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DETAILED ACTION 

Applicant amends claims 1, 2, 4, 5 and 7-10. 
Claims 1-5 and 7-1 1 are presented for examination. 

Response to Arguments 

Applicant's arguments with respect to claims 1-5 and 7-11 have been considered 
but are moot in view of the new ground(s) of rejection. 

Applicant amends claims to include "reading one byte of the data; judging 
whether a branch destination address associated with a branch destination is larger 
than a branch origin address based only on the one byte of the data read; storing the 
branch origin address associated with the retrieved instruction code and the branch 
destination address associated with the branch destination of the instruction code when 
the branch destination address associated with the branch destination is judged to be 
larger than the branch origin address." The Examiner introduces Yoshimi (U.S. Pat Pub 
2001/0011346 A^) infra. 

The fact that the Examiner may not have specifically responded to any particular 
arguments made by Applicant and Applicant's Representative, should not be construed 
as indicating Examiner's agreement therewith. 

Claim Objections 

Claim 3 is objected to because of the following informalities: 
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Claim 3 is objected as the claim is identified as "Currently amended" yet no 
amendments are present in the most recent claim dissemination. 
Appropriate correction is required. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

1 . Claims 1-5 and 7-1 1 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Sakai et al (JP 09-128264 A), hereinafter referred to as Sakai, in view of Hollander 
et al (U.S. Pat 6301699 B1), hereinafter referred to as Hollander, in further view of 
Yoshimi, (U.S. Pat Pub 2001/001 1346 Al), hereinafter referred to as Yoshimi. A 
translated copy of Sakai was provided in earlier correspondence. 

Re claims 1. 2. 4-7 : Sakai teaches a data processing method including receiving 
input data containing a plurality of instruction codes, said method comprising: 

retrieving an instruction code related to a branch instruction from the data (page 
18, lines 12-17); 

judging whether or not an instruction code for calling an instruction code group 
for executing a predetermined process is associated with the branch destination 
address (page 26: 1|18; page 27, lines 8-15; page 29, lines 3-12); 

storing a call destination address of the instruction code if the instruction code is 
associated with the branch destination address (page 3, lines 1-2; page 9, line 21 - 
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page 10, line 5; page 17, lines 21-23; page 22, lines 8-16; page 25, lines 4-13; page 44, 
see register); and 

judging whether or not the stored call destination address is between the branch 
origin address and the branch destination address (page 9, line 21 - page 10, line 5; 
page 17, lines 21-23; page 22, lines 8-16; page 25, lines 4-13); 

Hollander teaches: 

judging whether or not a process executed based on the instruction codes 
contained in the received data is a malicious process (Fig 4B, all elts: col 4, lines 62- 
65). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to have modified the teachings of Sakai with the teachings of 
Hollander, for the purpose of detecting hostile executable code. Both references are 
within the realm of the claimed invention as both references are directed to tracing the 
execution of computer code. 

The Examiner holds that the branch origin address and branch destination 
address within a computer program need not have a specific order within a computer 
program. It is known in the art of computer programming, that function calls could 
precede the currently executed statement; such practice is common in code which has 
been obfuscated/scrambled and/or the initial point of execution is obscured as is 
commonplace in polymorphic and metamorphic code. Ergo, the examiner has 
interpreted the limitation "judging whether or not the stored call destination address is 
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between the branch origin address and the branch destination address" to mean 
analyzing any code in an executable program. 

The combination of Sakai and Hollander teaches concluding that the process 
executed based on the instruction codes contained in the data is a malicious process 
(Hollander: col 1 , line 64 - col 2, line 3; Fig 4B, all elts: col 4, lines 62-65), when the 
instruction code for calling the instruction code group for executing the predetermined 
process is associated with the branch destination address and the call destination 
address of the instruction code is between the branch origin address and the branch 
destination address (Sakai: page 9, line 21 - page 10, line 5; page 17, lines 21-23; page 
22, lines 8-16; page 25, lines 4-13). 

While the combination of Sakai and Hollander teaches reading a plurality of 
instructions (Sakai: claim 1, line 6; page 17, HI 2, line 7; Hollander: Fig 7, elt 141). The 
combination of Sakai and Hollander is silent as to teaching judging whether a branch 
destination address associated with a branch destination is larger than a branch origin 
address based only on the one byte of the data read; storing the branch origin address 
associated with the retrieved instruction code and the branch destination address 
associated with the branch destination of the instruction code when the branch 
destination address associated with the branch destination is judged to be larger than 
the branch origin address. 

Yet, Yoshimi teaches reading one byte of the data (Fig 3; 1|20; 1|23; 1|30); 

judging whether a branch destination address [HI 67: e.g. "branch destination 
address"] associated with a branch destination [HI 67: e.g. "branch instruction 
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information"] is larger tlian a brancli origin address [1|172: e.g. "program count value 
(address)"] based only on the one byte of the data read 72-1|1 73); 

storing the branch origin address [1|41: "A branch instruction, a program count 
value and branch history information are provided ..."] associated with the retrieved 
instruction code [Fig 3; 1f21-1f24; e.g. "instruction"] and the branch destination address 
[|f167: e.g. "branch destination address"] associated with the branch destination [11167: 
e.g. "branch instruction information"] of the instruction code when the branch destination 
address [1|167: e.g. "branch destination address"] associated with the branch 
destination [11167: e.g. "branch instruction information"] is judged [11170: "comparing 
circuit"] to be larger than the branch origin address [1|172: e.g. "program count value 
(address)"] (Fig 14; 1|158; 1|170-1|176; 1|184). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to have modified the teachings of Sakai and Hollander with the 
teachings of Yoshimi, for the purpose of predicting program execution in file processes 
as taught by (1[282). 

Re claim 3 : The combination of Sakai, Hollander and Yoshimi teaches means for 
judging whether or not a predetermined character string is associated with a return 
address of the instruction code group, wherein if the character string is associated with 
the return address, the information indicating that the data is data for executing a 
malicious process is outputted (Sakai: pages 37 and 40: "CALL and RET instruction 
detecting parts;" page 42: "Branch origin/destination registers;" Hollander: Fig 4B, all 
elts). 
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Re claim 8 : Sal<ai teaclies a data processor comprising: 
an input unit for inputting data containing a plurality of instruction codes (page 2, 
lines 1-2); 

a storing unit for storing the data input by the input unit (page 2, lines 1-2); and a 
controller capable of performing operations (page 2, lines 1-2) of: 

retrieving an instruction code related to a branch instruction from the data stored 
in the storing unit (page 18, lines 12-17); 

judging whether or not an instruction code for calling an instruction code group 
for executing a predetermined process is associated with the branch destination 
address (page 26: 1|18; page 27, lines 8-15; page 29, lines 3-12); 

storing a call destination address of the instruction code in the storing unit if the 
instruction code is associated with the branch destination address (page 3, lines 1-2; 
page 9, line 21 - page 10, line 5; page 17, lines 21-23; page 22, lines 8-16; page 25, 
lines 4-13; page 44, see register); 

judging whether or not the stored call destination address is between the branch 
origin address and the branch destination address (page 9, line 21 - page 10, line 5; 
page 17, lines 21-23; page 22, lines 8-16; page 25, lines 4-13). 

Hollander teaches: 

concluding that the process executed based on the instruction codes contained 
in the data is a malicious process (Fig 4B, all elts: col 4, lines 62-65). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to have modified the teachings of Sakai with the teachings of 
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Hollander, for the purpose of detecting hostile executable code. Both references are 
within the realm of the claimed invention as both references are directed to tracing the 
execution of computer code. 

The Examiner holds that the branch origin address and branch destination 
address within a computer program need not have a specific order within a computer 
program. It is known in the art of computer programming, that function calls could 
precede the currently executed statement; such practice is common in code which has 
been obfuscated/scrambled and/or the initial point of execution is obscured as is 
commonplace in polymorphic and metamorphic code. Ergo, the examiner has 
interpreted the limitation "judging whether or not the stored call destination address is 
between the branch origin address and the branch destination address" to mean 
analyzing any code in an executable program. 

The combination of Sakai and Hollander teaches the instruction code for calling 
the instruction code group for executing the predetermined process is associated with 
the branch destination address and the call destination address of the instruction code 
is between the branch origin address and the branch destination address (Sakai: page 
9, line 21 - page 10, line 5; page 17, lines 21-23; page 22, lines 8-16; page 25, lines 4- 
13). 

While the combination of Sakai and Hollander teaches reading a plurality of 
instructions (Sakai: claim 1, line 6; page 17, HI 2, line 7; Hollander: Fig 7, elt 141). The 
combination of Sakai and Hollander is silent as to teaching judging whether a branch 
destination address associated with a branch destination is larger than a branch origin 
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address based only on the one byte of the data read; storing the branch origin address 
associated with the retrieved instruction code and the branch destination address 
associated with the branch destination of the instruction code in the storing unit when 
the branch destination address associated with the branch destination is judged to be 
larger than the branch origin address. 

Yet, Yoshlmi teaches reading one byte of the data (Fig 3; 1|20; 1|23; 1130); 

judging whether a branch destination address [1|167: e.g. "branch destination 
address"] associated with a branch destination [1|167: e.g. "branch instruction 
information"] is larger than a branch origin address [1|172: e.g. "program count value 
(address)"] based only on the one byte of the data read (1|172-1|173); 

storing the branch origin address [1|41: "A branch instruction, a program count 
value and branch history information are provided ..."] associated with the retrieved 
instruction code [Fig 3; 1[21-1[24; e.g. "instruction"] and the branch destination address 
[11167: e.g. "branch destination address"] associated with the branch destination [11167: 
e.g. "branch instruction information"] of the instruction code in the storing unit [1|23: e.g. 
"secondary cache;" 1|40: "branch prediction information storage part"] when the branch 
destination address [11167: e.g. "branch destination address"] associated with the 
branch destination [11167: e.g. "branch instruction information"] is judged [11170: 
"comparing circuit"] to be larger than the branch origin address [1|172: e.g. "program 
count value (address)"] (Fig 14; 1|158; 1|170-1|176; 1|184). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to have modified the teachings of Sakai and Hollander with the 
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teachings of Yosliinni, for the purpose of predicting program execution in file processes 
as taught by (1[282). 

Re claim 9 : Sakai teaches a data processor comprising: 

an input unit for inputting data containing a plurality of instruction codes (page 2, 

lines 1-2); 

a storing unit for storing the data input by the input unit (page 2, lines 1-2); and 
a controller capable of performing operations (page 2, lines 1-2) of: 
retrieving an instruction code for calling an instruction code group for executing a 
predetermined process from the data (page 18, lines 12-17). 
Hollander teaches: 

concluding that the process executed based on the instruction codes contained 
in the data is a malicious process (Fig 4B, all elts: col 4, lines 62-65). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to have modified the teachings of Sakai with the teachings of 
Hollander, for the purpose of detecting hostile executable code. Both references are 
within the realm of the claimed invention as both references are directed to tracing the 
execution of computer code. 

The Examiner holds that the branch origin address and branch destination 
address within a computer program need not have a specific order within a computer 
program. It is known in the art of computer programming, that function calls could 
precede the currently executed statement; such practice is common in code which has 
been obfuscated/scrambled and/or the initial point of execution is obscured as is 
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commonplace in polymorpliic and metamorphic code. Ergo, the examiner has 
interpreted the limitation "judging whether or not the stored call destination address is 
between the branch origin address and the branch destination address" to mean 
analyzing any code in an executable program. 

The combination of Sakai and Hollander teaches judging whether or not a 
predetermined character sthng is associated with a return address of the instruction 
code group (Sakai: pages 42-43, elts: ST32 & ST35). 

concluding that the process executed based on the instruction codes contained 
in the data is a malicious process when the instruction code for calling the instruction 
code group for executing the predetermined process is in the data and the 
predetermined character string is associated with the return address of the instruction 
code group (Hollander: Fig 3, all elts: col 4, lines 57-58; col 5, lines 12-16). 

While the combination of Sakai and Hollander teaches reading a plurality of 
instructions (Sakai: claim 1, line 6; page 17, HI 2, line 7; Hollander: Fig 7, elt 141). The 
combination of Sakai and Hollander is silent as to teaching judging whether a branch 
destination address associated with a branch destination is larger than a branch origin 
address based only on the one byte of the data read; storing the branch origin address 
associated with the retrieved instruction code and the branch destination address 
associated with the branch destination of the instruction code when the branch 
destination address associated with the branch destination is judged to be larger than 
the branch origin address. 

Yet, Yoshimi teaches reading one byte of the data (Fig 3; 1|20; 1|23; 1|30); 
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judging whether a branch destination address [11167: e.g. "branch destination 
address"] associated with a branch destination [1|167: e.g. "branch instruction 
information"] is larger than a branch origin address [1|172: e.g. "program count value 
(address)"] based only on the one byte of the data read (1|172-1|173); 

storing the branch origin address [1|41: "A branch instruction, a program count 
value and branch history Information are provided ..."] associated with the retrieved 
instruction code [Fig 3; 1[21-1[24; e.g. "instruction"] and the branch destination address 
[1[167: e.g. "branch destination address"] associated with the branch destination [1[167: 
e.g. "branch Instruction Information"] of the instruction code when the branch destination 
address [1[167: e.g. "branch destination address"] associated with the branch 
destination [1[167: e.g. "branch instruction information"] is judged [1[170: "comparing 
circuit"] to be larger than the branch origin address [1[172: e.g. "program count value 
(address)"] (Fig 14; 11158; 1I170-1[176; 1[184). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to have modified the teachings of Sakai and Hollander with the 
teachings of Yoshimi, for the purpose of predicting program execution in file processes 
as taught by (11282). 

Re claim 10 : Sakal teaches a data processor comprising: 

an Input unit for inputting data containing a plurality of instruction codes (page 2, 
lines 1-2); 

a storing unit for storing the data input by the input unit (page 2, lines 1-2); and 
a controller capable of performing operations (page 2, lines 1-2) of: 
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retrieving an instruction code for calling an instruction code group for executing a 
predetermined process from the data (page 26: 1|18; page 27, lines 8-15; page 29, lines 
3-12); 

judging whether or not an instruction code for obtaining a return address of the 

instruction code group is contained in the instruction code group if the instruction code 
is retrieved (page 6: eighth step; page 19: 1|13; page 41 : ST2; page 44: 7). 
Hollander teaches: 

concluding that the process executed based on the instruction codes contained 
in the data is a malicious process (Fig 4B, all elts: col 4, lines 62-65). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to have modified the teachings of Sakai with the teachings of 
Hollander, for the purpose of detecting hostile executable code. Both references are 
within the realm of the claimed invention as both references are directed to tracing the 
execution of computer code. 

The Examiner holds that the branch origin address and branch destination 
address within a computer program need not have a specific order within a computer 
program. It is known in the art of computer programming, that function calls could 
precede the currently executed statement; such practice is common in code which has 
been obfuscated/scrambled and/or the initial point of execution is obscured as is 
commonplace in polymorphic and metamorphic code. Ergo, the examiner has 
interpreted the limitation "judging whether or not the stored call destination address is 
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between the branch origin address and the branch destination address" to mean 
analyzing any code in an executable program. 

The combination of Sakai and Hollander teaches when the instruction code for 
calling the instruction code group for executing the predetermined process is in the data 
and the instruction code for obtaining the return address of the instruction code group is 
contained in the instruction code group (Sakai: page 9, line 21 - page 10, line 5; page 
17, lines 21-23; page 22, lines 8-16; page 25, lines 4-13). 

While the combination of Sakai and Hollander teaches reading a plurality of 
instructions (Sakai: claim 1, line 6; page 17, 1|12, line 7; Hollander: Fig 7, elt 141). The 
combination of Sakai and Hollander is silent as to teaching judging whether a branch 
destination address associated with a branch destination is larger than a branch origin 
address based only on the one byte of the data read; storing the branch origin address 
associated with the retrieved instruction code and the branch destination address 
associated with the branch destination of the instruction code when the branch 
destination address associated with the branch destination is judged to be larger than 
the branch origin address. 

Yet, Yoshimi teaches reading one byte of the data (Fig 3; 1120; 1123; 1130); 

judging whether a branch destination address [11167: e.g. "branch destination 
address"] associated with a branch destination [1|167: e.g. "branch instruction 
information"] is larger than a branch origin address [1|172: e.g. "program count value 
(address)"] based only on the one byte of the data read (1|172-1|173); 
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storing the branch origin address [1|41: "A branch instruction, a program count 
value and branch history Information are provided ..."] associated with the retrieved 
Instruction code [Fig 3; 1|21-1|24; e.g. "instruction"] and the branch destination address 
[11167: e.g. "branch destination address"] associated with the branch destination [1|167: 
e.g. "branch instruction information"] of the instruction code when the branch destination 
address [HI 67: e.g. "branch destination address"] associated with the branch 
destination [1[167: e.g. "branch Instruction information"] Is judged [1[170: "comparing 
circuit"] to be larger than the branch origin address [1[172: e.g. "program count value 
(address)"] (Fig 14; 11158; 1[170-1[176; 1[184). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to have modified the teachings of Sakal and Hollander with the 
teachings of Yoshlml, for the purpose of predicting program execution In file processes 
as taught by (11282). 

Re claim 1 1 : The combination of Sakal, Hollander and Yoshlmi teaches the 
malicious process causes an erroneous operation In the process executed based on the 
Instruction codes contained In the received data (Hollander: Fig 4b, elt 106: col 4, lines 
62-65). 

Conclusion 

Examiner's Note: Examiner has cited particular columns and line numbers In the 
references applied to the claims above for the convenience of the applicant. Although 
the specified citations are representative of the teachings of the art and are applied to 
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specific limitations witliin the individual claim, other passages and figures may apply as 
well. It is respectfully requested from the applicant in preparing responses to fully 
consider the references in entirety as potentially teaching all or part of the claimed 
invention, as well as the text of the passage taught by the prior art or disclosed by the 
examiner. 

In the case of amending the claimed invention. Applicant is respectfully 
requested to indicate the portion(s) of the specification which dictate(s) the structure 
relied on for proper interpretation and also to verify and ascertain the metes and bounds 
of the claimed invention. 

Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 
§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 
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Any inquiry concerning tliis communication or earlier communications from the 
examiner should be directed to DARREN SCHWARTZ whose telephone number is 
(571)270-3850. The examiner can normally be reached on 7am-4pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Vu can be reached on (571)272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/□. S./ 

Examiner, Art Unit 2435 
/Kimyen Vu/ 

Supervisory Patent Examiner, Art Unit 2435 



